CIS 629

Server Coded Computing

T-Th 1:40-2:55

Office Hours

Note that office hours will be announced in class and posted on office door.

Office Location

Science Research Building Room 1019

Office Telephone

404-880-6957

Email

snorth@cau.edu ; sarah@acm.org

Course

Number/Section

Course Title

Credit

Hours

Semester

Time

Level

(U/G)

CIS

629 Server Coded Computing

3

F 2008

1:40-2:55

U/G

Brief Description

Broad overview of the secure Server Coding in Computing.  Topics to be covered include techniques and tools required to protect information resources in computing.

Prerequisites

if applicable

CIS 521 Information Security

Course Textbook

Wriiting Secure Code, by Michael Howard and David LaBlance, Microsoft 2^nd ed., McGraw Hill Publisher Company, ISBN 0072-86445-1.

The practical strategies and techniques for secure application coding in a networked world.

HTTP Links

http://www.cis.cau.edu/course/cis629

http://www.cis.cau.edu/course/securitylinks

http://www.cis.cau.edu/

http://acm.org/

Course Length

3 hours credit for 16 weeks, 2 one hour and 15 minutes per week.  The total of 48 hours

Course Description:

This course provides an overview of contemporary security issues in server coded computing.   It is designed to teach graduate CIS students’ important issues in secure coding techniques from  both the computational and administrative viewpoint.  Thus the while the primary emphasis of this course is technical – it examines the issues of providing security for information processing systems--secure operating systems and applications, security principles, threat modeling, cryptographic foibles, protecting secure data security protocols, etc., this course also examines security from an administrative perspective- the importance of management and administration, and the secure server coded in computing.

Course Objectives and Learning Outcomes:

This course provides the student with a background, foundation, and insight into the subject of Secure server Coded Computing. This knowledge will serve as a foundation for future study in selected aspects of this important field or as an important dimension to their effectiveness in the broader computer science field. The primary objectives of the course are to

• Understand the importance of securing codes in computing and how it affects our changing world.
• Understand the basic concepts of server security principles, especially the close relation between the objective of machine security and human factors
• Understand the basic concepts of Encryption, Program Threats, and Trusted Operating Systems
• Be capable of developing a Threat Modeling security techniques for an Organization
• Understand the relationship between software development and information security
• Identify the key areas of Secure coding Techniques and how they work
• Learn how to Determining Appropriate Access Control, identifying the issues, consequences, and viewpoints

·        Identify and prioritize information assets

·        Identify and prioritize threats to information assets

·        Define an Cryptographic Foibles information security and key management issues

·        Plan for and respond to intruders in an information system

·        Describe legal and public relations implications of Protecting Secret Data

Course outline and Major Topics

1. Contemporary Security: the Need for Secure Systems
2. Secure Coding Techniques

-         Determining Appropriate Access Control

-         Cryptographic Foibles

-         Protecting Secret Data

-         Web-Specific Input Issues

3.  The risks involved in computing:

-    Risk assessment, acceptance, and management;

-    Risk assessment—information states and valuation;

-         Validation testing;

-         Traffic analysis;

-         and information processing and storage.    

4. Security Testing
5. Secure software Installation
6. Building Privacy into your application
7.  The goals of secure computing: information characteristic, confidentiality, integrity, and availability
8.  The threats to security in computing: interception, interruption, modification, fabrication

- Security investigation procedures

9. Controls Available to Address these Threats:

          -    Human-threats

-         Encryption, programming controls, operating systems,

-         Network controls, administrative controls

-         Law (enforcement interface) and ethics.

-         International laws and legal bodies

10. The meaning of Computer Security
11. Plan security program for users and managers
12. The proactive Security Development Process
13. Threats Modeling
14. Writing Security Documentation and Error Messages
15. Computer Criminals:

-         The career computer criminals and understanding of the targets of computer crime

-         Accountability of the employees for accessing information and protecting their organization (fraud, waste, & abuse)

16. Vulnerabilities management and analysis

-         Records management

-         Records retention

- hardware asset management,

     -  software asset management

     -  mail retention

     -  and other exposed assets

17. Protecting in General-purpose Operating Systems

-         User authentication

-         Controlled access to objects

-         Protecting memory, files and the execution environment  

18. Methods of Defense

-         Concepts of Encryption (clearly address the need for confidentiality of data)

-         Asymmetric encryption and RSA algorithm

-         Key exchange protocols and certifications

-         National policies and procedures (enforcing security through hardware or software means)

-         Controls (software, hardware, physical controls)

-         Handling media (complying with rules and regulation, etc.)

19. Designing Trusted Operating Systems

-         What makes operating systems “secure”? or “trustworthy”?

-         How are trusted systems designed (employee clearance)

-         How do we develop “assurance” of the correctness of a trusted operating system?

-         Evaluation of the “Trusted Computer Systems”

-         Security clearances

14. Information Systems Security Policies

-         Incorporate technical security policies

-         Train users about policies (physical controls, transportation)

-          Evaluate security policies (control disgruntled employees)

-         Ensure adaptive security policies implementation

-         Define computer security principles

-         Risk involve operation security

-         Auditing tools (policy and procedures)

15. Emerging Trends in Certification and Accreditation
16. General good Practice

-         Add Security Comments to Code

Teaching/Learning Methods: (lectures, videos, outside speakers, etc.)

This class is a lecture-focused course, with supplementing homework, assignments, lab and group project work and presentations.

We will use electronic means of communication including email, class web site. Changes will be announced in class and posted on the class web site. Please check it frequently.

We will follow the posted course schedule as closely as possible but it is subject to change based on speaker availability, etc. Changes will be announced in class.

Evaluation Methods

Grading and other policies and expectations:

Assignment Type Weight (%)

• Homework- 20%
• Article Critiques- 20%
• Class Project- 30%
• Class Participation/Attendance/Quizzes- 30%

All assignments and projects are required for passing the course.

CLASS PARTICIPATION AND ATTENDANCE
Discovery does not arise from instruction but from personal engagement with the controversies and potentials of a computerized society.  You have to be in class to contribute to and benefit from that personal engagement. As you saw above, a quarter of your grade depends on class participation and attendance. In this class, engagement will take several forms:

• You will be expected to read, summarize, and interpret the articles for yourself and others.
• You will be expected to study problems, techniques, and approaches individually and in groups, and then present your findings both orally and in writing.
• You will be expected to critique the perspectives/opinions of both authors and classmates in discussions and position papers.

At any class period, you may be asked to summarize and critique readings from the book or elsewhere in an “elevator speech” for the class. On such occasions, you are invited to refer to notes you've made in response to the readings. You may also be quizzed on the high points of the material.

If you are unable to attend class, notify the TA by email before the period begins for consideration of an excused absence.

Required Readings:

• Security in Computing (3^nd Edition), by Charles P. and Shari Lawrence Pfleeger, Prentice Hall, 2003, ISBN 0-13-035548-8
     

Recommended:

·         Computer Security: Art and Science, by Matt Bishop, Addison-Wesley, 2003,
ISBN 0-201-44099-7

Supplemental Readings/Additional Bibliography:

• Computer Related Risks, by Peter G. Neumann, Addison-Wesley, 1995, ISBN 0-201-558
• Information Security: Protecting the Global Enterprise, by Donald L. Pipkin, Prentice Hall, 2000, ISBN 0-13-017323-1
• Information Warfare and Security, by Dorothy E. Denning, Addison-Wesley, 1999,
  ISBN 0-201-43303-6
•  Internet Besieged: Countering Cyberspace Scofflaws, edited by Dorothy E. Denning and Peter J. Denning, 1998, ISBN 0-201-30820-7

Government Reading

Executive Order 13010-Critical Infrastructure Protection (July 15, 1996)

http://www.fas.org/irp/offdocs/eo13010.htm

The President's Commission on Critical Infrastructure Protection (PCCIP) and their final report, "Critical Foundations" (Oct 1997) – Read article summary of the Report

http://www.marshall.org/article.php?id=65

PDD-63 – Critical Infrastructure Protection (May 22, 1998)

http://www.fas.org/irp/offdocs/pdd/pdd-63.htm

U.S. Commission on National Security/21st Century (Hart-Rudman Commission--September 1999)— Review just this web page information--

http://www.disinfopedia.org/wiki.phtml?title=National_Commission_on_Terrorism

Executive Order 13228 - Establishing the Office of Homeland Security and the Homeland Security Council (October 8, 2001)

http://www.fas.org/irp/offdocs/eo/eo-13228.htm

Executive Order 13231 - Critical Infrastructure Protection in the Information Age (October 16, 2001) http://www.fas.org/irp/offdocs/eo/eo-13231.htm

Homeland Security Act of 2002 (H.R. 5005) - http://www.dhs.gov/dhspublic/display?theme=85&content=412

Review--Contents and Title 1 on PDF pages 1-11

“The National Strategy For Homeland Security” (July 16, 2002)

http://www.whitehouse.gov/homeland/book/index.html

Read only— Letter from the President & Executive Summary

“National Strategy to Secure Cyberspace” (February 2003) http://www.whitehouse.gov/pcipb/

Read only— Letter from the President, Executive Summary, & Introduction

“National Strategy for the Physical Protection of Critical Infrastructures and Key Assets”

(February 2003)—Read only--Letter from the President and Executive Summary

http://www.dhs.gov/interweb/assetlibrary/Physical_Strategy.pdf

Executive Order 13231 of October 16, 2001 (as amended by E.O 13286 of February 26, 2003) “Critical Infrastructure Protection in the Information Age”

http://www.dhs.gov/interweb/assetlibrary/EO_13231_Revised.pdf

Homeland Security Presidential Directive (HSPD)-7 (Dec.17, 2003)

Subject: Critical Infrastructure Identification, Prioritization, and Protection

http://www.whitehouse.gov/news/releases/2003/12/print/text/20031217-5.html

“The DHS Strategic Plan--Securing Our Homeland” (February 24, 2004) Read just contents and summary

http://www.dhs.gov/interweb/assetlibrary/DHS_StratPlan_FINAL_spread.pdf

National Infrastructure Advisory Council (NIAC)-- (Just website info and members)

http://www.dhs.gov/dhspublic/display?theme=9&content=3445

Protected Critical Infrastructure Information (PCII) Program— (Just program overview

http://www.dhs.gov/dhspublic/display?theme=92&content=3755

Information Sharing and Analysis Centers (ISACs)—

http://www.dhs.gov/dhspublic/display?theme=73&content=1375&print=true